fix(security): add .gitleaksignore for BMAD false positives

matthew-on-git · claude · matthew-on-git · commit ad55b902f21e · 2026-03-03T00:02:44.000-06:00
Gitleaks flags SHA-256 content hashes in _bmad/_config/files-manifest.csv
and an example JWT in _bmad/tea/testarch/knowledge/api-testing-patterns.md
as generic-api-key findings. These are false positives — the hashes are
file content checksums and the JWT is a documentation example.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/.gitleaksignore b/.gitleaksignore
@@ -0,0 +1,17 @@
+# .gitleaksignore — Gitleaks false positive allowlist
+#
+# Add fingerprints of allowed findings to suppress false positives.
+# Each line is a finding fingerprint from `gitleaks detect -v` output.
+#
+# See: https://github.com/gitleaks/gitleaks#configuration
+
+# _bmad/tea/testarch/knowledge/api-testing-patterns.md — example JWT in docs
+_bmad/tea/testarch/knowledge/api-testing-patterns.md:generic-api-key:680
+
+# _bmad/_config/files-manifest.csv — SHA-256 content hashes, not secrets
+_bmad/_config/files-manifest.csv:generic-api-key:241
+_bmad/_config/files-manifest.csv:generic-api-key:242
+_bmad/_config/files-manifest.csv:generic-api-key:244
+_bmad/_config/files-manifest.csv:generic-api-key:260
+_bmad/_config/files-manifest.csv:generic-api-key:352
+_bmad/_config/files-manifest.csv:generic-api-key:376
